cyber security & risk management - aon · financier worldwide canvasses the opinions of leading...
TRANSCRIPT
CYBER SECURITY & RISK MANAGEMENT
A N N UA L R E V I E W 2 0 1 5
Published by
Financier Worldwide
23rd Floor, Alpha Tower
Suffolk Street, Queensway
Birmingham B1 1TT
United Kingdom
Telephone: +44 (0)845 345 0456
Fax: +44 (0)121 600 5911
Email: [email protected]
www.financierworldwide.com
Copyright © 2015 Financier Worldwide
All rights reserved.
Annual Review • July 2015
Cyber Security & Risk Management
No part of this publication may be copied, reproduced, transmitted or held in a
retrievable system without the written permission of the publishers.
Whilst every effort is made to ensure the accuracy of all material published in
Financier Worldwide, the publishers accept no responsibility for any errors or
omissions, nor for any claims made as a result of such errors or omissions.
Views expressed by contributors are not necessarily those of the publisher.
Any statements expressed by professionals in this publication are understood to
be general opinions and should not be relied upon as legal or financial advice.
Opinions expressed herein do not necessarily represent the views of the author’s
firm or clients or of any organisations of which the author is a member.
Cyber Security & Risk ManagementJ U LY 2 0 1 5 • A N N U A L R E V I E W
F i n a n c i e r Wo r l d w i d e c a n v a s s e s t h e o p i n i o n s o f l e a d i n g p r o f e s s i o n a l s a r o u n d t h e w o r l d o n t h e l a t e s t t r e n d s i n c y b e r s e c u r i t y & r i s k m a n a g e m e n t .
Cyber Security & Risk ManagementJ U LY 2 0 1 5 • A N N U A L R E V I E W
Contents
UNITED STATES ..................................................... 06Mary Guzman MCGRIFF, SEIBELS & WILLIAMS, INC.
UNITED KINGDOM ................................................ 10Jamie Bouloux CFC UNDERWRITING, LTD
SPAIN ................................................................... 14Claudia Gómez AON RISK SOLUTIONS
GERMANY ............................................................. 18Johannes Behrends AON RISK SOLUTIONS
NETHERLANDS ...................................................... 22Matthijs Geerts AON RISK SOLUTIONS
SCANDINAVIA ...................................................... 26Kristoffer Haleen WILLIS AB
AUSTRALIA ........................................................... 30Emma Osgood AIG AUSTRALIA
SOUTH AFRICA ..................................................... 34Kenneth van Sweeden AUTO & GENERAL
ISRAEL .................................................................. 38Sharon Shaham AIG ISRAEL INSURANCE COMPANY LIMITED
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T 2 0 1 5
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T 2 0 1 5
Cyber risk management is one of the most important and often discussed issues in the modern business landscape.
Today, the number of successful cyber attacks launched annually is on the rise. Though some industries are more susceptible than others, cyber security affects companies across a wide gamut of sectors. From multinational entertainment companies like Sony, to large national retailers like Target, to local ‘mom and pop’ stores, and even government agencies, nobody is safe.
Cyber crime primarily relates to financial gain and cyber criminals are now fully aware of the value of personal data. In recent years, sensitive personal information including medical records and social security numbers has been stolen and sold on the open market. Hackers today are not simply one-man-bands operating out of a bedroom; often they are part of sophisticated and well equipped organisations. In some instances, they are even state sponsored.
As a result of the sheer volume and complexity of these attacks, many companies struggle to defend themselves from external and internal threats. The so called ‘Internet of Things’, while it promises new opportunities, poses a host of issues for companies battling to protect their assets. Unfortunately, this situation will only worsen in years to come. As we grow more reliant on electronic data and technology, the onus will be on companies and regulators to act.
Thankfully, boards are beginning to take notice. Cyber security and risk management is increasingly being viewed as an executive issue, not simply an IT issue. As companies face threats from a litany of parties, including organised crime rings, disgruntled employees, nation states and hacktivists, companies are crafting breach response plans are taking out cyber insurance policies. On a governmental level, revisions to data privacy legislation may help turn the tide. Lawmakers are scrambling to keep up with technological innovations and evolving threats to personal data, to avoid being left behind by progressive cyber criminals.
INTRODUCTION
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
6 • F INANCIER WORLDWIDE • JULY 2015 www.f inancierworldwide.com
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
UNITED STATESMARY GUZMANMCGRIFF, SEIBELS & WILLIAMS, INC.
GUZMAN: Certain industries, such as retail, due to the inherent vulnerabilities
in current card processing and Point of Sale (POS) systems, and healthcare, are
perhaps bigger targets than others, but none are immune. A lesser known, but
more worrisome risk, lies within the vulnerabilities of ‘embedded’ firmware,
such as Industrial Control Systems like SCADA, switching devices, cameras,
conferencing phones, and temperature control, and other command and
control related devices not typically accessed through a keyboard or end-
user device. Additionally, hackers are penetrating medical devices to bypass
hospital security measures because typical scanning and detection systems
cannot find harmful activity within these closed systems. The ‘Internet of
Things’ facilitates hacking technologies that can cause physical damage
or bodily injury, which has become more prevalent and, at the same time,
difficult to defend against. Theft of intellectual property costs companies
billions of dollars a year but doesn’t garner the same headlines as privacy
breaches, as these breaches do not directly impact the individual. There have
been multiple high profile cyber attacks on both retail systems and healthcare
in recent months. The incidents with the highest level of interest from the
insurance community are the Target and Anthem breaches. The former is
attracting attention because the issuing banks – which generally are not fully
reimbursed by the card brands for the cost of card reissuance following a retail
breach – are directly suing the merchant for those costs. If successful, the case
would set a major precedent for potential costs following a breach, increasing
the risk for the merchant and its insurers.
GUZMAN: Boards are certainly more aware of the risks and their
responsibilities for oversight of security policies and procedures – particularly
public companies. However, many boards and executive leadership focus
extensively on compliance with particular laws and regulations, but not as
much on actual breach prevention and response preparedness. Companies
are challenged due to the natural conflict between doing the right thing
Q GIVEN THE RISKS, DO
YOU BELIEVE COMPANIES
ARE PLACING ENOUGH
IMPORTANCE ON CYBER
SECURITY? ARE BOARD
Q IN YOUR OPINION,
WHAT ARE THE MAJOR
CYBER THREATS TO WHICH
TODAY’S COMPANIES ARE
VULNERABLE? COULD YOU
COMMENT ON ANY RECENT,
HIGH PROFILE CYBER
ATTACKS IN THE US?
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N TA N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
JULY 2015 • F INANCIER WORLDWIDE • 7 8www.f inancierworldwide.com
UNITED STATES • MARY GUZMAN • MCGRIFF, SEIBELS & WILLIAMS, INC.
and managing expenses. Eventually, there will either be further regulation
or case law that establishes a minimum standard for negligence, which will
further drive board level decisions around IT security. There is a lot of focus on
benchmarking – companies want to spend and do as much as their peers but
are reluctant to go much further.
GUZMAN: The SEC is taking a harder position on the security policies and
breach disclosures of public companies. This action, coupled with various
initiatives within the financial institution, healthcare and utility industries, is
helping to drive better behaviour. Nevertheless, no regulation or compliance
effort will make any company impenetrable. Many companies are adopting
the NIST framework as a guideline or a common framework against which
organisations can be mapped and measured for security maturity and
diligence.
GUZMAN: In today’s environment, security breaches cannot be completely
avoided. Sophisticated phishing scams, malware, DDoS attacks and zero day
exploits are realities with which we must live. Continuous education, vigilance
and improvements in security policies and procedures – people, process,
and technology – can go a long way toward mitigating the likelihood and
severity of the outcome. Many companies are less focused on keeping hackers
out and more concentrated on keeping data from being exfiltrated once a
hacker or employee who exceeds their access privileges is inside. Data asset
classification and specific plans around the protection of the most sensitive
data are crucial; whether at rest, in transit or in the hands of a third party
service provider. There should be a much heavier emphasis, in our experience,
on what security protocols a company’s vendors have in place. Mobile device
security is another area that still demands major improvement for most
companies.
MEMBERS TAKING A
PROACTIVE, HANDS-ON
APPROACH TO IMPROVING
POLICIES AND PROCESSES?
Q IN YOUR EXPERIENCE,
WHAT STEPS SHOULD
COMPANIES TAKE TO
AVOID POTENTIAL CYBER
BREACHES – EITHER FROM
EXTERNAL SOURCES
SUCH AS HACKERS OR
INTERNAL SOURCES SUCH
AS ROGUE EMPLOYEES?
WHAT KEY QUESTIONS
SHOULD THEY BE ASKING
WHEN REVIEWING AND
REINFORCING THEIR
SYSTEMS AND CONTROLS?
Q TO WHAT EXTENT HAVE
CYBER SECURITY AND DATA
PRIVACY REGULATIONS
CHANGED IN THE US? HOW
ARE THESE DEVELOPMENTS
AFFECTING THE WAY
COMPANIES MANAGE AND
MAINTAIN COMPLIANCE?
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
8 • F INANCIER WORLDWIDE • JULY 2015 www.f inancierworldwide.com
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
GUZMAN: First and foremost, the company should already have in place a
tested breach response plan with key expert resources pre-selected to assist
them from the onset. This plan would include the designation of the central
authority figure at the company who will manage all the moving parts following
breach discovery. It is often the general counsel along with outside privacy
counsel who should be well versed in state and federal laws, familiar with
the nuances in breach investigations, well acquainted with the expectations
of the states Attorneys General, and should have seasoned expertise in
guiding other organisations through past crises. A successful breach response
strategy will include both senior and operations personnel who will be key
contributors in executing the tactical plan. This includes managing the various
external resources needed to forensically investigate the source and scope of
the breach, provide notice to customers and accessible call centre services,
offer credit monitoring and identity theft restoration solutions, responses to
regulatory investigations, and manage public relations.
GUZMAN: Well crafted cyber insurance programs can cover many of the
costs associated with data and network security breaches, including the
resulting legal liabilities. Brokers and insurers have worked collaboratively
to offer meaningful risk transfer solutions with special coverage grants for
risks unique to certain industry groups. Insurers are developing new solutions
to best underwrite catastrophic insurance protection as concerns heighten
around cyber attacks that generate potential claims for actual property
damage losses or for bodily injury. Directors would benefit from conducting
a holistic enterprise-wide risk analysis of the company’s likely and worst case
scenarios, and determine how its current insurance program provides for
loss recovery. The biggest challenge insurers are facing today is the potential
impact of a cyber breach on tangible property. Many of the traditional
property, terrorism, general liability and pollution markets are not prepared to
underwrite the aggregation risk implicated by a massive, coordinated attack
on critical infrastructure. The intense level of communication taking place
between public and private industry to address this issue will likely involve
much more scrutiny around security maturity and ‘insurability’ of various
clients, therefore necessitating creative insurance, reinsurance and other
Q IN WHAT WAYS CAN RISK
TRANSFER AND INSURANCE
HELP COMPANIES AND THEIR
D&OS TO DEAL WITH CYBER
RISK, POTENTIAL LOSSES AND
RELATED LIABILITIES? HOW
ARE INSURANCE PROVIDERS
ADJUSTING OR ENHANCING
THEIR INSURANCE SOLUTIONS
TO MEET MARKET NEEDS?
UNITED STATES • MARY GUZMAN • MCGRIFF, SEIBELS & WILLIAMS, INC.
Q HOW SHOULD FIRMS
RESPOND IMMEDIATELY AFTER
FALLING VICTIM TO CYBER
CRIME, TO DEMONSTRATE
THAT THEY HAVE DONE THE
RIGHT THING IN THE EVENT
OF A CYBER BREACH OR DATA
LOSS?
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
JULY 2015 • F INANCIER WORLDWIDE • 9www.f inancierworldwide.com
Mary Guzman
Senior Vice President
McGriff, Seibels & Williams
+1 (404) 497 7535
financial backstop solutions. Many coverage deficiencies can be remedied by
existing cyber insurance or some of these creative new solutions, and if not,
companies can adopt an appropriate self-insurance strategy as part of their
overall preparedness plan.
GUZMAN: The major cyber threats companies will face in the coming
years include the constantly evolving exploits used to access critical data
and proprietary systems by both insiders and third parties. This includes
organised crime rings, disgruntled employees, nation-states and hacktivists.
People, processes and technology are all easily compromised if the ‘hacker’
understands how to manipulate each of these three legs to the security ‘stool’.
They fully understand the vulnerabilities created by vendors, mobile devices
and internet-facing connections, as well as the human tendency to bypass or
circumvent strong controls for convenience and expediency.
Mary Guzman is a Senior Vice President in the Errors & Omissions and Information Security practice of McGriff, Seibels & Williams. Her concentration is on the design, placement and oversight of customised executive risk solutions for the Fortune 1000 and other complex accounts. Ms Guzman has a strong background in errors and omissions/professional liability, cyber/privacy, and media risks across industry groups. Her current responsibilities include the strategic leadership role for both clients and the insurance markets relative to product and service development, education and consulting, and the development of market capacity in difficult to insure industries such as energy and financial institutions.
Q WHAT ARE YOUR
PREDICTIONS FOR CYBER
CRIME AND DATA SECURITY
IN THE US OVER THE
COMING YEARS?
UNITED STATES • MARY GUZMAN • MCGRIFF, SEIBELS & WILLIAMS, INC.
“ The major cyber threats companies will face in the coming years include the constantly evolving exploits used to access critical data and proprietary systems by both insiders and third parties.”
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
10 • F INANCIER WORLDWIDE • JULY 2015 www.f inancierworldwide.com
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
UNITED KINGDOMJAMIE BOULOUXCFC UNDERWRITING, LTD
BOULOUX: The reality is that cyber threats have not changed over the past
few years. Companies continue to be vulnerable to data asset theft, network
and system failure, and ever increasingly the reliability of their IT supply
chain. Considering these vectors for exploitation, any given company could
suffer a cyber event, whether malicious or accidental. Unfortunately, the
challenge is that the perpetrators of cyber crime have grown exponentially,
as unlike traditional crime these attacks are faceless, low risk, lucrative, and
can be impactful on any given entity. The recent attack against Germany’s
Bunderstag reminds us of the potential for weapon grade cyber code,
such as 2010’s Stuxnet, and has created cause for concern as nation state
infiltration continues to be a threat to both government and industry.
New York’s Department of Financial Services has raised concerns around a
potential ‘cyber 9/11’ in which it is understood that a hack into Wall Street
firms could “spill over into the broader economy”.
BOULOUX: It is apparent that cyber is becoming more of a board level
discussion. The existence of many companies is based upon their ability to
collect, utilise and ultimately trade their intellectual assets in their respective
markets. Subsequently, the dynamic of traditional valuation has changed
as companies are coming to realise that their intangible property – data
– is often far more valuable than their current assets. As a standard, where
physical security controls and internal fire sprinklers protect office facilities
and human capital, organisations are investing heavily in applying IT and
network security infrastructures to provide similar protections. With many
companies outsourcing this function to data security specialists. The US has
benefited from SEC guidance around companies having to ascertain not
only the financial implications but also the operational implications of a
cyber attack to their organisation. With the potential for diminished share
holder valuation, and the threat of a violation of Rule 10b-5, ‘cyber’ has had
Q IN YOUR OPINION,
WHAT ARE THE MAJOR
CYBER THREATS TO WHICH
TODAY’S COMPANIES ARE
VULNERABLE? COULD YOU
COMMENT ON ANY RECENT,
HIGH PROFILE CYBER
ATTACKS IN THE UK?
Q GIVEN THE RISKS, DO
YOU BELIEVE COMPANIES
ARE PLACING ENOUGH
IMPORTANCE ON CYBER
SECURITY? ARE BOARD
MEMBERS TAKING A
PROACTIVE, HANDS-ON
APPROACH TO IMPROVING
POLICIES AND PROCESSES?
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N TA N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
JULY 2015 • F INANCIER WORLDWIDE • 11 8www.f inancierworldwide.com
to become a boardroom discussion, with table top business continuity and
incident response planning becoming the norm.
BOULOUX: Europe has been waiting since 2012 for the new Data Protection
legislation, and continues to be governed by a directive which dates back to
1995. Subsequently, many parts of Asia and South America which trade and
benefit from safe harbour with Europe are waiting to see how the legislation
develops before they deliver their own cyber regulations. The result is that
many companies don’t manage compliance around maintaining the integrity
of their data. The obvious concern to industry which needs to be addressed,
even if not through regulation, concerns the potential for theft of data and
a loss of rate on investment of intellectual capital.
BOULOUX: From system configuration and data segregation, to IT
security management and external monitoring protocols, to even vendor
management, the challenges of managing external threats are complicated
and numerous. However, unfortunately the statistics still suggest that
employee error and malicious intent are the biggest culprits for the
proliferation of cyber attacks. Subsequently, companies should not only be
limiting the rights and access controls employees have within the company’s
internal networks, but should be implementing training strategies and
drive awareness around cyber attacks and the operational and financial
implications of dealing with these breaches. However, given the scope of
security management, and the propensity for an event, a detailed audited
response plan which has been tested can often be just as important as the
most resilient of security architectures.
UNITED KINGDOM • JAMIE BOULOUX • CFC UNDERWRITING, LTD
Q TO WHAT EXTENT HAVE
CYBER SECURITY AND DATA
PRIVACY REGULATIONS
CHANGED IN THE UK? HOW
ARE THESE DEVELOPMENTS
AFFECTING THE WAY
COMPANIES MANAGE AND
MAINTAIN COMPLIANCE?
Q IN YOUR EXPERIENCE,
WHAT STEPS SHOULD
COMPANIES TAKE TO
AVOID POTENTIAL CYBER
BREACHES – EITHER FROM
EXTERNAL SOURCES
SUCH AS HACKERS OR
INTERNAL SOURCES SUCH
AS ROGUE EMPLOYEES?
WHAT KEY QUESTIONS
SHOULD THEY BE ASKING
WHEN REVIEWING AND
REINFORCING THEIR
SYSTEMS AND CONTROLS?
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
12 • F INANCIER WORLDWIDE • JULY 2015 www.f inancierworldwide.com
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
BOULOUX: Every firm is different, and will endure a cyber event with its own
unique challenges. However, preparedness is essential. Companies should be
looking to show that they were able to execute an effective, audited breach
response plan and business continuity plan. Whether the firm outsources,
operates managed systems or has a robust IT department, it should have
predetermined vendors to help identify, mediate and resolve any potential
issues. A company’s first priority should be to get back up and running and
trading or producing as soon as possible. Further, know your facts before you
notify your clients, and of course notify your insurance company.
BOULOUX: Cyber insurance solutions should mean different things for
different companies, based on size and industry. Large companies should
be looking for insurance solutions to align with their strategy for managing
through a cyber event. Whether the event suffered is a breach of third party
data or a business interruption, large corporates tend to have robust internal
IT departments that work with preferred vendors to manage these events. As
a result, insurance for these companies should be working as a risk transfer
solution to provide financial protection, and as a failsafe vendor provider
for any overlooked processes – such as notification and ID theft monitoring
– to the affected companies. Conversely, cyber insurance can play a much
more meaningful role for smaller companies. Consider that many insurance
providers have aligned with security, legal and other third party vendors to
develop their solutions and are able to leverage costs against portfolios to
ensure that clients get quality service at better rates. The concept of providing
‘solutions’ for smaller clients allows for swift and effective event management,
which helps companies revert to full capacity and limit any financial loss. This
means that SME clients should be asking their brokers to provide details of
service and contract when looking at purchasing cyber insurance.
BOULOUX: Cyber crime remains an exploit of opportunity. As a result, we
expect to see a continued increase in the number of smaller and midsized
companies affected. Furthermore, given the ‘facelessness’ of the crime, and
the ability to appropriate large volumes of data, and move it in the open
UNITED KINGDOM • JAMIE BOULOUX • CFC UNDERWRITING, LTD
Q IN WHAT WAYS CAN RISK
TRANSFER AND INSURANCE
HELP COMPANIES AND THEIR
D&OS TO DEAL WITH CYBER
RISK, POTENTIAL LOSSES AND
RELATED LIABILITIES? HOW
ARE INSURANCE PROVIDERS
ADJUSTING OR ENHANCING
THEIR INSURANCE SOLUTIONS
TO MEET MARKET NEEDS?
Q WHAT ARE YOUR
PREDICTIONS FOR CYBER
CRIME AND DATA SECURITY
Q HOW SHOULD FIRMS
RESPOND IMMEDIATELY AFTER
FALLING VICTIM TO CYBER
CRIME, TO DEMONSTRATE
THAT THEY HAVE DONE THE
RIGHT THING IN THE EVENT
OF A CYBER BREACH OR DATA
LOSS?
“ Companies should be looking to show that they were able to execute an effective, audited breach response plan and business continuity plan.”
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
JULY 2015 • F INANCIER WORLDWIDE • 13www.f inancierworldwide.com
market, we will continue to see large companies subjected to these incidents.
The challenge is to understand where the next area of opportunity will be.
Retail, healthcare, education and financial institutions are all susceptible to
large scale exfiltration and can cause serious consumer cynicism, which not
only affects the individual corporate brand but will continue to challenge
the social contract with big business and the willingness for consumers
to share data. A further concern is that cyber crime moves away from
the financially motivated crime of opportunity, or even statement of
hacktivism. As governments continue to enter the fourth vector of war,
‘cyber’, as a geopolitical tool for advancement and retaliation, has the
ability to destabilise economies or even be weaponised. These concerns are
driving legislatures to develop standards around the ‘duty of care’ for data
at the private and public sector level. Increased attacks on corporates and
even government facilities will drive increased legislation and a continued
demand for consumer and national security.
UNITED KINGDOM • JAMIE BOULOUX • CFC UNDERWRITING, LTD
Jamie Bouloux
Corporate Cyber
CFC Underwriting, Ltd.
+44 (0)020 7220 8500
A well-known and highly respected figure in the global cyber market, Jamie Bouloux joined CFC Underwriting in early 2015 to drive the development of the company’s large corporate cyber product on a global basis. Prior to joining, Mr Bouloux was head of cyber products and technology and media liability for Europe, Middle East and Africa at AIG and served as network security product leader and executive liability underwriter at AIG in the US.
IN THE UK OVER THE
COMING YEARS?
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
14 • F INANCIER WORLDWIDE • JULY 2015 www.f inancierworldwide.com
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
SPAIN
Q IN YOUR OPINION,
WHAT ARE THE MAJOR
CYBER THREATS TO WHICH
TODAY’S COMPANIES ARE
VULNERABLE? COULD YOU
COMMENT ON ANY RECENT,
HIGH PROFILE CYBER
ATTACKS IN SPAIN?
CLAUDIA GÓMEZAON RISK SOLUTIONS
GÓMEZ: We would say malware, cyber espionage, insiders, data
breaches and cyber crime continue to be the most harmful threats that
companies face today. However, companies are increasingly embracing
the ‘Internet of Things’ – technologies which will provide momentum to
their businesses and will help them to stay ahead of their competition.
Although nobody is completely sure of the implications of the Internet
of Things for both privacy and security, there will be issues for sure.
Consequently, companies need to think of cyber threats and risk
as an evolving matter, otherwise the biggest cyber threat would be
unpreparedness. In Spain, there have not been any well publicised,
high profile attacks, though the Ministry of Industry indicated that
our country is the third most attacked after the US and the UK. It is
common knowledge, however, that Spanish banks and Spanish energy
companies were counted among the victims targeted by the Carbanak
and Dragonfly operations, but the consequences of those attacks remain
unknown.
GÓMEZ: Generally speaking, companies are becoming more conscious
of cyber threats. This should not only translate into increased investment
in cyber security, it should also help to establish other actions for
prevention and loss mitigation. However, there are huge differences
among companies, sectors of activity and segment. Although the boards
of many large corporations are now becoming aware of these threats, in
our opinion awareness is mainly among CISOs and IT staff, so we believe
there is still a lot to do in this respect. Additionally, companies and boards
continue to consider cyber risk as an IT issue, not as a real business issue
that could impact P&L, reputation and competitiveness, so there is still
need for increased perception and proper C-suite involvement.
Q GIVEN THE RISKS, DO
YOU BELIEVE COMPANIES
ARE PLACING ENOUGH
IMPORTANCE ON CYBER
SECURITY? ARE BOARD
MEMBERS TAKING A
PROACTIVE, HANDS-ON
APPROACH TO IMPROVING
POLICIES AND PROCESSES?
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N TA N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
JULY 2015 • F INANCIER WORLDWIDE • 15 8www.f inancierworldwide.com
Q TO WHAT EXTENT HAVE
CYBER SECURITY AND DATA
PRIVACY REGULATIONS
CHANGED IN SPAIN? HOW
ARE THESE DEVELOPMENTS
AFFECTING THE WAY
COMPANIES MANAGE AND
MAINTAIN COMPLIANCE?
SPAIN • CLAUDIA GÓMEZ • AON RISK SOLUTIONS
GÓMEZ: In terms of data privacy, Spain is in a similar situation to the
rest of the European Union, as it awaits the new EU data protection
regulation. Spain is considered to have one of the toughest data
protection regulations in the world, but forthcoming changes will
make them even tougher. Probably due to the long delay in finalising
and implementing the EU regulation, companies are not getting
themselves prepared for the changes ahead. With respect to cyber
security preparedness, Spain started to take action one step behind
other countries, mainly as a consequence of the economic crisis that
put the national focus, and budget, on other issues and projects. In 2013
the government implemented the National Cyber Security Strategy,
which included the creation of the National Cybersecurity Council
which adopted the creation of a national cyber security plan aimed at
boosting the security and resilience of IT systems of Spanish companies
in general, but critical infrastructure in particular, as well as to enhance
capabilities against cyber terrorism and cyber crime. Some sectors,
namely financial institutions and the energy industry, are well ahead of
the curve in this particular respect.
GÓMEZ: As with any risk, the first thing companies should do is identify
the threats and their potential impact, and try to value them. This is
a difficult task as it requires valuing intangible assets, and IT assets
may have a different value depending on the company in question and
the timing. Such valuation is crucial to understand how the business
might be impacted if such information or technology is lost. Only after
such an exercise will companies be able to establish the appropriate
actions required to avoid or mitigate cyber risk. To us, one of the most
crucial actions is education throughout the whole company. Employees,
board members, commercial areas – everybody needs to be focused in
protecting the assets of the company. Another crucial action is crisis
Q IN YOUR EXPERIENCE,
WHAT STEPS SHOULD
COMPANIES TAKE TO
AVOID POTENTIAL CYBER
BREACHES – EITHER FROM
EXTERNAL SOURCES SUCH
AS HACKERS OR INTERNAL
SOURCES SUCH AS ROGUE
EMPLOYEES? WHAT KEY
QUESTIONS ...
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
16 • F INANCIER WORLDWIDE • JULY 2015 www.f inancierworldwide.com
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
Q HOW SHOULD FIRMS
RESPOND IMMEDIATELY AFTER
FALLING VICTIM TO CYBER
CRIME, TO DEMONSTRATE
THAT THEY HAVE DONE THE
RIGHT THING IN THE EVENT
OF A CYBER BREACH OR DATA
LOSS?
response. If your company is not prepared when a breach happens, the
loss will be bigger and recovery probably slower.
GÓMEZ: Companies may need to demonstrate to regulators that they did
things properly, but most importantly, they need to convince their clients,
business partners and shareholders. We have seen in recent high profile
breaches phrases such as “We take our customers’ data and security very
seriously” but these words need to be properly supported; otherwise,
such statements will clearly have real consequences in terms of lost
clients, business and reputation. Companies must be able to demonstrate
that they did things correctly if they carry out a real risk management
process, which includes activities such as risk analysis and quantification,
investment in security, procedures and education, and mitigating actions
which may include risk transfer and a proper crisis plan.
GÓMEZ: Insurance is an element of risk mitigation, enabling companies to
recover the financial impact that a cyber event can have on a company. From
the huge amount of costs involved – including response costs to affected
parties, notification, forensics, and so on, to liabilities and the recovery of
loss of profits resulting from an event. However, and despite the fact that
insurance policies may seem fairly similar, there are differences between
insurers and the extent of cover on offer, so policies should be adapted
to each particular case. There are peculiarities on which certain type of
risk may need to focus, such as industrial and critical infrastructure, and
insurance needs to be adapted to provide proper coverage. Some policies
may include additional valuable services, such as consulting services or
guidance in claims and events, which may complement the company’s
own internal capabilities. We consider that proper risk management,
which includes effective risk transfer programmes to mitigate P&L impact,
will certainly have a positive influence on the supervisory duties of D&Os,
who will be able to demonstrate that they care about the company, its
shareholders and customers.
SPAIN • CLAUDIA GÓMEZ • AON RISK SOLUTIONS
Q IN WHAT WAYS CAN RISK
TRANSFER AND INSURANCE
HELP COMPANIES AND THEIR
D&OS TO DEAL WITH CYBER
RISK, POTENTIAL LOSSES AND
RELATED LIABILITIES? HOW
ARE INSURANCE PROVIDERS
ADJUSTING OR ENHANCING
THEIR INSURANCE SOLUTIONS
TO MEET MARKET NEEDS?
SHOULD THEY BE ASKING
WHEN REVIEWING AND
REINFORCING THEIR
SYSTEMS AND CONTROLS?
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
JULY 2015 • F INANCIER WORLDWIDE • 17www.f inancierworldwide.com
Q WHAT ARE YOUR
PREDICTIONS FOR CYBER
CRIME AND DATA SECURITY
IN SPAIN OVER THE COMING
YEARS?
GÓMEZ: We believe cyber crime will be a feature until companies
realise the importance of fighting against certain behaviour, and help
enforcement authorities in the struggle. Crime and fraud will never
disappear but companies should not be afraid of recognising it is real
and thus facing it. We also believe cyber terrorism is a real threat to
Spanish companies and public entities as we are one of the main targets
of certain radical groups. While some industries have a high degree of
awareness, all companies should continue to invest in education at
every level. With respect to data security, we hope companies are able
to prepare in advance for the forthcoming regulation; failure to do so
will see them exposed to public opinion and suffering the consequences
of becoming part of the ‘data breach wall of shame’.
Claudia Gómez
Director
Aon Risk Solutions
+34 91 340 5645
Claudia Gómez is director of the Financial Lines Specialty for Aon in Spain. She heads the Cyber Risk Practice as well as the Financial Institutions Specialty. The Financial Lines Specialty in Spain handles management liability, professional liability, employment practices liability, initial public offering liability, crime and privacy & security liability for both commercial and financial institutions, including either SMEs and big corporation and listed companies. Prior to joining Aon, Ms Gomez was Assistant Vice President in the financial lines department of another main insurance broking company.
SPAIN • CLAUDIA GÓMEZ • AON RISK SOLUTIONS
“ Some policies may include additional valuable services, such as consulting services or guidance in claims and events, which may complement the company’s own internal capabilities.”
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
18 • F INANCIER WORLDWIDE • JULY 2015 www.f inancierworldwide.com
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
GERMANY
Q IN YOUR OPINION,
WHAT ARE THE MAJOR
CYBER THREATS TO WHICH
TODAY’S COMPANIES ARE
VULNERABLE? COULD YOU
COMMENT ON ANY RECENT,
HIGH PROFILE CYBER
ATTACKS IN GERMANY?
JOHANNES BEHRENDSAON RISK SOLUTIONS
BEHRENDS: The threats to which today’s companies are vulnerable
depend on the industry sector the company in question operates in.
However, there is one common threat that a lot of companies are facing:
business interruption caused by a hacker attack. In 2014, hackers struck
a steel mill in Germany. They did so by manipulating and disrupting
control systems to such a degree that a blast furnace could not be
properly shut down, resulting in physical damage. The case shows that
hackers are not just interested in stealing sensitive data; they are willing
to do damage to manufacturing plants. This development is a growing
concern. We expect these kinds of attacks to happen more often.
BEHRENDS: Big companies are very concerned about cyber risks
and they are initiating countermeasures. These firms also buy cyber
insurance. However, many small and medium-sized enterprises still
believe that they are not likely to be targeted by hackers. Furthermore,
they underestimate the probable maximum loss which a data breach
or an attack could cause them. There is still a lack of knowledge and
understanding – and considerable room for improvement.
Q GIVEN THE RISKS, DO
YOU BELIEVE COMPANIES
ARE PLACING ENOUGH
IMPORTANCE ON CYBER
SECURITY? ARE BOARD
MEMBERS TAKING A
PROACTIVE, HANDS-ON
APPROACH TO IMPROVING
POLICIES AND PROCESSES?
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N TA N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
JULY 2015 • F INANCIER WORLDWIDE • 19 8www.f inancierworldwide.com
Q TO WHAT EXTENT
HAVE CYBER SECURITY
AND DATA PRIVACY
REGULATIONS CHANGED IN
GERMANY? HOW ARE THESE
DEVELOPMENTS AFFECTING
THE WAY COMPANIES
MANAGE AND MAINTAIN
COMPLIANCE?
GERMANY • JOHANNES BEHRENDS • AON RISK SOLUTIONS
BEHRENDS: The upcoming EU General Data Protection Regulation
and the German IT-Security Act will be extremely important for
German companies. Both regulations contain obligations to notify
authorities in certain cases. The IT-Security Act will mainly apply to
critical infrastructure and include not only the obligation to notify
data breaches, but also every major IT security incident. In addition,
managers of critical infrastructure will be obliged to maintain a certain
level of IT security. These upcoming regulations are gradually changing
companies’ views on cyber risks. They know that they will have to act.
While some of them already fulfil the requirements, others are waiting
for the ratified versions of the new regulations to see which measures
will be mandatory.
BEHRENDS: In order to avoid cyber breaches, companies need to know
their risks. The first step companies should take is to identify those
risks. Then they need to ask themselves: What will be the financial
impact, if scenario A, B or C occurs? For example, many companies are
not able to quantify their losses in the event of business interruption.
But only if questions like this have been answered will companies be
able to prepare for breaches or attacks. Companies need to raise the
awareness of employees and establish contingency plans. They should
also check procedures for granting access rights to employees, service
staff and guests.
Q IN YOUR EXPERIENCE,
WHAT STEPS SHOULD
COMPANIES TAKE TO
AVOID POTENTIAL CYBER
BREACHES – EITHER FROM
EXTERNAL SOURCES
SUCH AS HACKERS OR
INTERNAL SOURCES SUCH
AS ROGUE EMPLOYEES?
WHAT KEY QUESTIONS
SHOULD THEY BE ASKING
WHEN REVIEWING AND
REINFORCING THEIR
SYSTEMS AND CONTROLS?
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
Q HOW SHOULD FIRMS
RESPOND IMMEDIATELY AFTER
FALLING VICTIM TO CYBER
CRIME, TO DEMONSTRATE
THAT THEY HAVE DONE THE
RIGHT THING IN THE EVENT
OF A CYBER BREACH OR DATA
LOSS?
20 • F INANCIER WORLDWIDE • JULY 2015 www.f inancierworldwide.com
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
BEHRENDS: If a company has not established its own crisis management
team, it will have to procure external help immediately. Usually, even
the best IT departments are not prepared for professional cyber attacks.
They need specialised IT consultants who are experienced in handling a
crisis and conducting IT forensics. If personally identifiable information is
affected, public authorities must be informed – otherwise, considerable
penalties may follow.
BEHRENDS: For small and medium-sized enterprises in particular,
cyber insurance offers much more than just the reimbursement of
financial losses. Most of these companies are not able to handle a crisis
caused by a cyber breach or data loss. Who do we have to inform?
How could the hackers enter our systems? How do we respond to
press inquiries? Companies need IT specialists, legal and PR advice in
order to react promptly and correctly. Insurance will pay for the costs
of these consultants but they provide for much more – for example, the
specialists needed in case of a loss. In addition, some German insurers
offer risk workshops to demonstrate to companies their cyber risks, and
to help them to initiate procedures to mitigate those risks.
Q IN WHAT WAYS CAN RISK
TRANSFER AND INSURANCE
HELP COMPANIES AND THEIR
D&OS TO DEAL WITH CYBER
RISK, POTENTIAL LOSSES AND
RELATED LIABILITIES? HOW
ARE INSURANCE PROVIDERS
ADJUSTING OR ENHANCING
THEIR INSURANCE SOLUTIONS
TO MEET MARKET NEEDS?
GERMANY • JOHANNES BEHRENDS • AON RISK SOLUTIONS
“ Decision makers must understand that their company’s information assets are as valuable as the company’s material assets.”
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
JULY 2015 • F INANCIER WORLDWIDE • 21www.f inancierworldwide.com
Q WHAT ARE YOUR
PREDICTIONS FOR CYBER
CRIME AND DATA SECURITY
IN GERMANY OVER THE
COMING YEARS?
BEHRENDS: We assume that cyber crime and related damages will
increase. Germany is one of the strongest economic regions in the world
and it would be naive to believe that our companies are not interesting
targets for hackers. Nowadays, hacker services can be bought on the
darknet for only a few euros. On the internet, instructions on how to
create Trojans are available for free. Never before has it been so easy to
spy on companies, steal sensitive data or shut down important systems.
This development will be accelerated by ever increasing digitalisation.
Therefore, decision makers must understand that their company’s
information assets are as valuable as the company’s material assets.
Consequently, there is no reason to handle them differently.
Johannes Behrends
Broker Financial Lines
Aon Risk Solutions
+49 208 7006 2250
Johannes Behrends studied law in Tuebingen and Hamburg. After his bar exam he worked as a lawyer, focusing mainly on internet law, entertainment law and intellectual property rights. Mr Behrends has worked for Aon Risk Solutions since 2009. He is a member of the Professional Services Group which is responsible for Cyber Risks and Professional Indemnity in particular for law firms, management consultants, financial services and publishing groups.
GERMANY • JOHANNES BEHRENDS •Aon Risk Solutions
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
22 • F INANCIER WORLDWIDE • JULY 2015 www.f inancierworldwide.com
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
NETHERLANDS
Q IN YOUR OPINION,
WHAT ARE THE MAJOR
CYBER THREATS TO WHICH
TODAY’S COMPANIES ARE
VULNERABLE? COULD
YOU COMMENT ON ANY
RECENT, HIGH PROFILE
CYBER ATTACKS IN THE
NETHERLANDS?
MATTHIJS GEERTSAON RISK SOLUTIONS
GEERTS: Cyber threats manifest themselves in various forms. Companies
can be confronted with system failure, denial of service (DDos) attacks
or the disclosure or loss of confidential and personally identifiable
information. The most strategic, and in our opinion damaging effect
of a cyber threat, particularly when the issue is not addressed properly,
is the danger posed to a company’s reputation, financial position and
ability to realise its short and long term objectives. An integrated cyber
strategy, supported at boardroom level, is fundamental in protecting all
stakeholder interests. Companies are continuously under attack. DDos
attacks, as well as accidental or intentional security breaches, have
recently paralysed various industries. The so-called Carbanak attackers
recently committed the biggest digital bank robbery in history. The
threat posed from cyber crime is very real, and no industry is safe.
GEERTS: Luckily, most organisations acknowledge that they are exposed
to cyber threats one way or another; however, the level of response
to the exposure differs enormously. We believe that many companies
are struggling to determine an effective means of addressing this
evolving theme and how to assess their specific cyber risk exposure.
Solely investing in IT security without giving consideration to the
overall exposure is not sufficient. Various departments and disciplines
within any one organisation deal with cyber risks. They all assess the
risk within their own framework. Due to this multi-disciplinary context
it is key to bring all stakeholders to the table, qualify and quantify the
overall exposure, and subsequently manage the cyber exposure in an
integral manner.
Q GIVEN THE RISKS, DO
YOU BELIEVE COMPANIES
ARE PLACING ENOUGH
IMPORTANCE ON CYBER
SECURITY? ARE BOARD
MEMBERS TAKING A
PROACTIVE, HANDS-ON
APPROACH TO IMPROVING
POLICIES AND PROCESSES?
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N TA N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
JULY 2015 • F INANCIER WORLDWIDE • 23 8www.f inancierworldwide.com
Q TO WHAT EXTENT HAVE
CYBER SECURITY AND DATA
PRIVACY REGULATIONS
CHANGED IN THE
NETHERLANDS? HOW ARE
THESE DEVELOPMENTS
AFFECTING THE WAY
COMPANIES MANAGE AND
MAINTAIN COMPLIANCE?
NETHERLANDS • MATTHIJS GEERTS • AON RISK SOLUTIONS
GEERTS: A number of major developments have taken place in recent
years. Until recently, only a few industries, such as the telecoms
sector, were regulated in this respect. However, we are now on the
verge of a new regulatory era which will affect all types of businesses.
On a local Dutch and EU level, strict regulations have been drafted
and implemented on how to ensure the protection of data privacy
and regulate what to do in the unfortunate event of a breach. Newly
adopted Dutch legislation regulates the option to impose fines up to
€810,000 or even 10 percent of the company’s revenue, in the event
of a serious violation. The Dutch Personal Data Protection Commission
will now be detailing this legislation.
GEERTS: Firstly, experience shows that it is impossible to fully prevent
any cyber breach from occurring. There is only so much an organisation
can do to protect against the potential risk. However, organisations
should acknowledge they are exposed, invest in up-to-date IT systems
and make sure a rapid detection system is in place in order to make a
quick and adequate response possible. Furthermore, organisations also
need to address the ‘softer elements’. Cyber defence is about much
more than just technique. Organisations need to create a culture to
become more robust and agile. Cyber risk awareness should be part of
a company’s DNA.
Q IN YOUR EXPERIENCE,
WHAT STEPS SHOULD
COMPANIES TAKE TO
AVOID POTENTIAL CYBER
BREACHES – EITHER FROM
EXTERNAL SOURCES
SUCH AS HACKERS OR
INTERNAL SOURCES SUCH
AS ROGUE EMPLOYEES?
WHAT KEY QUESTIONS
SHOULD THEY BE ASKING
WHEN REVIEWING AND
REINFORCING THEIR
SYSTEMS AND CONTROLS?
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
Q HOW SHOULD FIRMS
RESPOND IMMEDIATELY AFTER
FALLING VICTIM TO CYBER
CRIME, TO DEMONSTRATE
THAT THEY HAVE DONE THE
RIGHT THING IN THE EVENT
OF A CYBER BREACH OR DATA
LOSS?
24 • F INANCIER WORLDWIDE • JULY 2015 www.f inancierworldwide.com
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
GEERTS: Effective response starts with good preparation. It is proven
that companies which have a crisis response plan in place act better
when a crisis actually occurs. We believe it is key to be prepared. Know
what to do, who to call and what is legally required. Why have business
continuity plans in place for a fire, but not for a cyber event? The doom
scenario for a company would be to have to admit that they had no
suitable controls and procedures in place for an imminent risk such
as cyber. Unpreparedness opens the door to D&O claims, and actual
resignations of D&Os have already occurred as a result.
GEERTS: The advantages of a risk transfer via an insurance solution are
multiple. First and foremost, the insurance can offer P&L protection
for the financial consequences of a cyber event. The overall costs of
an event should not be underestimated. Furthermore, the policy can
provide immediate access to service providers like forensic investigators
and IT specialists. This can be of significant importance, particularly for
those companies that do not have those resources in-house. There is
wide range of products available. Since it is a fairly new insurable risk,
lots of development still needs to take place. In any case it is important
for a company, likely in collaboration with its broker, to tailor a policy
that actually fits the company’s risk profile and tolerance.
NETHERLANDS • MATTHIJS GEERTS • AON RISK SOLUTIONS
Q IN WHAT WAYS CAN RISK
TRANSFER AND INSURANCE
HELP COMPANIES AND THEIR
D&OS TO DEAL WITH CYBER
RISK, POTENTIAL LOSSES AND
RELATED LIABILITIES? HOW
ARE INSURANCE PROVIDERS
ADJUSTING OR ENHANCING
THEIR INSURANCE SOLUTIONS
TO MEET MARKET NEEDS?
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
JULY 2015 • F INANCIER WORLDWIDE • 25www.f inancierworldwide.com
Q WHAT ARE YOUR
PREDICTIONS FOR CYBER
CRIME AND DATA SECURITY
IN THE NETHERLANDS OVER
THE COMING YEARS?
GEERTS: The transformation from historical tangible products and
manual labour services to reliance on technology and information
assets is obvious. Cloud computing, mobile devices, social media, ‘big
data’ analytics and the explosion of the ‘Internet of Things’ prove this.
The risk exposure and risk profiles of companies change as a result of this
evolution. Furthermore, regulators react and the legislation becomes
more stringent. It is important that risk and insurance management
adapt to these changes as well. We should not be afraid of this kind of
innovation and progress; we should embrace it, as it will bring us great
opportunities as long as we adapt to this new reality.
Matthijs Geerts
Senior Insurance Broker
Aon Risk Solutions
+31 (0)10 448 72 14
Matthijs Geerts LL.M is senior broker with the Financial Institutions team within Aon Risk Solutions in the Netherlands. Besides specialising in, amongst others, directors and officers insurance, professional indemnity insurance and crime insurance, he is the product champion for the Dutch Financial Institution department with respect to cyber risk and insurance management. Mr Geerts joined Aon in 2007 after obtaining his law degree from Leiden University, Netherlands.
NETHERLANDS • MATTHIJS GEERTS • AON RISK SOLUTIONS
“ Unpreparedness opens the door to D&O claims, and actual resignations of D&Os have already occurred as a result.”
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
26 • F INANCIER WORLDWIDE • JULY 2015 www.f inancierworldwide.com
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
SCANDINAVIA
Q IN YOUR OPINION,
WHAT ARE THE MAJOR
CYBER THREATS TO WHICH
TODAY’S COMPANIES ARE
VULNERABLE? COULD YOU
COMMENT ON ANY RECENT,
HIGH PROFILE CYBER
ATTACKS IN SCANDINAVIA?
KRISTOFFER HALEENWILLIS AB
HALEEN: It is fair to say that all companies face cyber threats, but
the nature of the threats vary greatly depending upon the company’s
business and level of maturity. One threat that most companies have
in common is that of stolen or leaked intellectual property. In the
Nordics, we are also seeing that quite a few of our large manufacturers
are finding themselves vulnerable to attackers who are targeting their
networks. The purpose behind these attacks can be hard to establish,
but it seems that many attackers are increasingly gaining access to
operational systems, which may be an indicator of espionage, but also
that the attackers are preparing to damage production, which can have
very serious consequences.
HALEEN: Boards have a difficult task of managing resources and
attention to various areas. Risk management is just one of the areas
which requires attention, and cyber risks are part of the risk management
function as a whole. Cyber is not simply a matter of new risks that can
be reduced to a matter of IT security, but also an amplifier of classical
risks. The awareness of cyber related risks is certainly growing, although
the actions taken by boards vary greatly. It is clear to me that we as
a society need to devote more time and effort to cyber risks, and we
need to do so now.
Q GIVEN THE RISKS, DO
YOU BELIEVE COMPANIES
ARE PLACING ENOUGH
IMPORTANCE ON CYBER
SECURITY? ARE BOARD
MEMBERS TAKING A
PROACTIVE, HANDS-ON
APPROACH TO IMPROVING
POLICIES AND PROCESSES?
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N TA N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
JULY 2015 • F INANCIER WORLDWIDE • 27 8www.f inancierworldwide.com
Q TO WHAT EXTENT HAVE
CYBER SECURITY AND DATA
PRIVACY REGULATIONS
CHANGED IN SCANDINAVIA?
HOW ARE THESE
DEVELOPMENTS AFFECTING
THE WAY COMPANIES
MANAGE AND MAINTAIN
COMPLIANCE?
SCANDINAVIA • KRISTOFFER HALEEN • WILLIS AB
HALEEN: The Nordic countries are, by and large, awaiting the
implementation of the General Data Protection Regulation (GDPR),
although some additional legislation has been implemented on a local
level. Earlier this year, Finland introduced some new privacy legislation,
which can be seen as proof the Nordic governments are taking these
matters very seriously. However, we are already seeing a number of
sophisticated companies beginning to implement processes and
policies in line with the discussions around the GDPR, which is very
encouraging. In particular, companies are starting to realise that the
privacy by design requirement is something that they need to adhere
to, whether or not they are forced by legislation.
HALEEN: Unfortunately, there are no silver bullets. No single control or
measure will have the same effect for every organisation, but will vary
depending on the nature and criticality of the information, as well as
the network structure. There are of course some measures that should
be regarded as best practice or even minimum standard when it comes
to information security. These include the encryption of all information
in transit and at rest, and a proactive approach to patch management.
Different monitoring measures can also be implemented fairly easily.
Furthermore, organisations need to implement policies and procedures
around scenarios – what happens if our systems fail? All organisations
need to have an idea of what a bad day looks like.
Q IN YOUR EXPERIENCE,
WHAT STEPS SHOULD
COMPANIES TAKE TO
AVOID POTENTIAL CYBER
BREACHES – EITHER FROM
EXTERNAL SOURCES
SUCH AS HACKERS OR
INTERNAL SOURCES SUCH
AS ROGUE EMPLOYEES?
WHAT KEY QUESTIONS
SHOULD THEY BE ASKING
WHEN REVIEWING AND
REINFORCING THEIR
SYSTEMS AND CONTROLS?
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
28 • F INANCIER WORLDWIDE • JULY 2015 www.f inancierworldwide.com
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
HALEEN: Organisations should always strive to own the stage when it
comes to breaches, which requires a number of things. First, make sure
that you learn the cause and extent of the incident – what has really
happened? Don’t hesitate to engage outside expertise, as the cost for
this is likely to be significantly lower than the cost of not knowing.
Second, if it concerns a privacy breach, expect public knowledge at some
point, and make sure that you are the one to tell your customers what
has really happened. A breach is not necessarily bad for your reputation,
but poor response surely is. If it is an intrusion of an operational system,
make sure that you close down the entry point. No one would leave a
door unlocked after a burglary; the same should go for a cyber breach.
HALEEN: For most companies, a cyber insurance policy will mitigate
much of the exposure, but there are some exposures, such as IP
leakages, that simply don’t have an effective insurance solution today.
Companies need to review the suggested policy against the exposures
their company faces, as the cover will operate in very different ways.
Insurers should make an effort to provide coverage in a clearer way
than what is the case today; most policies have ambiguities that no
one, least of all clients, can understand. To some degree, insurers are
not always clear on what they are covering, and certainly not on what
they want to cover. We see plenty of policies that don’t walk the talk.
Cyber insurance is also a lot about the quality of the response, not just
the cover in the wording.
Q IN WHAT WAYS CAN RISK
TRANSFER AND INSURANCE
HELP COMPANIES AND THEIR
D&OS TO DEAL WITH CYBER
RISK, POTENTIAL LOSSES AND
RELATED LIABILITIES? HOW
ARE INSURANCE PROVIDERS
ADJUSTING OR ENHANCING
THEIR INSURANCE SOLUTIONS
TO MEET MARKET NEEDS?
SCANDINAVIA • KRISTOFFER HALEEN • WILLIS AB
Q HOW SHOULD FIRMS
RESPOND IMMEDIATELY AFTER
FALLING VICTIM TO CYBER
CRIME, TO DEMONSTRATE
THAT THEY HAVE DONE THE
RIGHT THING IN THE EVENT
OF A CYBER BREACH OR DATA
LOSS?
“ It will take a few years for us to get there, and those years will be costly, but organisations will eventually adapt.”
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
JULY 2015 • F INANCIER WORLDWIDE • 29www.f inancierworldwide.com
Q WHAT ARE YOUR
PREDICTIONS FOR CYBER
CRIME AND DATA SECURITY
IN SCANDINAVIA OVER THE
COMING YEARS?
HALEEN: There is very little to suggest that cyber crime will decrease
any time soon. It is just too easy and profitable as an industry, and
because most organisations are still struggling to get a grip on their
exposures, we will not win this battle in the near future. The political
changes of the world have an impact as well. The good news is that
organisations are waking up to this, and are changing the way they
operate accordingly. Data security will be a natural part of every
organisation’s risk management efforts. It will take a few years for
us to get there, and those years will be costly, but organisations will
eventually adapt.
Kristoffer Haleen
Client Advocate, Risk Solutions
Willis AB
+46 8 5463 5965
Kristoffer Haleen is a Client Advocate and Cyber Practice Leader with Willis AB. Advising clients on cyber related risks, he has helped both clients and insurers to find risk transfer solutions to difficult exposures. Using a holistic approach to cyber risks, Mr Haleen has been driving the development of cyber insurance and connecting insurance with risk management in Scandinavia. Prior to joining Willis, Mr Haleen worked as an underwriter on technology related risks at a major global insurer. He holds a LLM degree from Uppsala University.
SCANDINAVIA • KRISTOFFER HALEEN • WILLIS AB
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
30 • F INANCIER WORLDWIDE • JULY 2015 www.f inancierworldwide.com
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
AUSTRALIA
Q IN YOUR OPINION,
WHAT ARE THE MAJOR
CYBER THREATS TO WHICH
TODAY’S COMPANIES ARE
VULNERABLE? COULD YOU
COMMENT ON ANY RECENT,
HIGH PROFILE CYBER
ATTACKS IN AUSTRALIA?
EMMA OSGOODAIG AUSTRALIA
OSGOOD: One of the biggest problems for companies today is that
cyber threats are constantly evolving. For example, with a minor
code adjustment hackers can create a new variant of malware that a
company’s protection system may not be able to recognise. In fact, a
recent study identified 143 million new malware samples from 2014
alone and there are an estimated 12 million new variants every month,
placing an inordinate level of pressure on IT security professionals. One
particular variety of malware, commonly referred to as ‘crytolocker’, can
have devastating effects. Crytolocker is a type of ransomware which is
typically spread through malicious attachments or links within emails
under the guise of something genuine. Once it corrupts a computer, it
begins encrypting files. The perpetrator will only release the decryption
key when a ransom payment is made. While anti-virus software and
firewalls provide a degree of protection for organisations, they cannot
prevent employees opening links in emails in good faith.
OSGOOD: While cyber security is on the agenda of many Australian
boards, directors are still struggling to come to grips with how to handle
the issues created by an attack and generally gauge their cyber security
risk. One of the most common discussions is around who has ownership
of monitoring cyber security – the IT department or risk management
and compliance teams? Our experience in these discussions shows that
IT departments are capable of addressing issues surrounding hardware
and software security. However, many cyber security issues arise from
employee or vendor management. We have seen a number of high
profile data breaches over the past 24 months arising from IT security
permissions granted to third party vendors. The most high profile cyber
breaches globally in recent times have affected Target and JP Morgan.
Q GIVEN THE RISKS, DO
YOU BELIEVE COMPANIES
ARE PLACING ENOUGH
IMPORTANCE ON CYBER
SECURITY? ARE BOARD
MEMBERS TAKING A
PROACTIVE, HANDS-ON
APPROACH TO IMPROVING
POLICIES AND PROCESSES?
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N TA N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
JULY 2015 • F INANCIER WORLDWIDE • 31 8www.f inancierworldwide.com
Q TO WHAT EXTENT
HAVE CYBER SECURITY
AND DATA PRIVACY
REGULATIONS CHANGED IN
AUSTRALIA? HOW ARE THESE
DEVELOPMENTS AFFECTING
THE WAY COMPANIES
MANAGE AND MAINTAIN
COMPLIANCE?
AUSTRALIA • EMMA OSGOOD • AIG AUSTRALIA
Companies need to look closely at the agreements they have in place
with vendors and undertake a thorough due diligence of their control
environment. Overall, there is still a great deal of work to be done
by Australian directors, but they are not alone. The Public Company
Governance Survey NACD 2013-2014 showed that 87 percent of
respondents, globally, reported that their board’s understanding of IT
risk needed to improve.
OSGOOD: The long awaited changes to Australian Privacy legislation
commenced on 12 March 2014. The legislation introduced 13 Australian
Privacy Principles to replace the former National Privacy Principles
and Information Privacy Principles. For many companies, this was the
catalyst to take stock of their compliance and overhaul their data
protection policies. ‘Readiness’ became a buzz word which no doubt
received greater focus given the threat of significant fines from the
privacy commissioner of up to AUD$1.3m for serious or repeat offenders.
While the legislation was important, many were surprised that it did
not go as far as requiring mandatory reporting by those affected by a
data breach. Mandatory reporting will be a key milestone for Australia
– we know that companies are currently experiencing data breaches
but are not reporting them as there is no requirement to do so. ASIC
has started to be increasingly vocal about cyber risk, and has recently
released a report providing guidance to companies on managing cyber
risk. The report outlines their expectation that companies address cyber
risk as part of their legal and regulatory obligations and encourages
all companies to perform a ‘health check’ to assess their resilience to
potential breaches. The report is another key indicator that cyber risk is
firmly on the regulatory radar.
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
32 • F INANCIER WORLDWIDE • JULY 2015 www.f inancierworldwide.com
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
OSGOOD: First, companies need to scan their environment to identify
the variety of exposures that they may face. These exposures need to
be considered within the context of what they have in place already
to determine whether that is sufficient. In addition, companies should
ask their management teams a number of questions. Are they investing
enough dollars into IT security? Are they promoting a culture of IT
security awareness and vigilance among staff? While there may be a
focus on prevention, do they have an incident response plan in place to
address network security related issues? Is this plan tested?
OSGOOD: The Office of the Australian Information Commissioner set
out a four step process on how to respond to a data breach. The first step
is breach containment and preliminary assessment. The second step is
evaluation of the risks associated with the breach. Third is notification to
affected individuals, if this is appropriate. And the final step is prevention
of future breaches. Often, the media can focus on data breaches within
the context of ‘what not to do’. However, there are some examples of
how a timely, well-executed breach response plan can mitigate the
fallout. While the number of customer account holders compromised
during the Home Depot data breach was larger than Target, some have
observed that Home Depot was able to weather the storm better by
implementing a clear and concise communication strategy.
OSGOOD: The Ponemon Institute determined that data breach or
cyber insurance policies are becoming an increasingly important
part of a company’s preparedness plans. In 2013, only 10 percent of
respondents said their company purchased a policy. But by 2014 the
percentage more than doubled to 26 percent. A number of insurers
have been providing cyber risk solutions for many years and in doing
Q IN WHAT WAYS CAN RISK
TRANSFER AND INSURANCE
HELP COMPANIES AND THEIR
D&OS TO DEAL WITH CYBER
RISK, POTENTIAL LOSSES AND
Q HOW SHOULD FIRMS
RESPOND IMMEDIATELY AFTER
FALLING VICTIM TO CYBER
CRIME, TO DEMONSTRATE
THAT THEY HAVE DONE THE
RIGHT THING IN THE EVENT
OF A CYBER BREACH OR DATA
LOSS?
Q IN YOUR EXPERIENCE, WHAT
STEPS SHOULD COMPANIES
TAKE TO AVOID POTENTIAL
CYBER BREACHES – EITHER
FROM EXTERNAL SOURCES
SUCH AS HACKERS OR
INTERNAL SOURCES SUCH AS
ROGUE EMPLOYEES? WHAT
KEY QUESTIONS SHOULD THEY
BE ASKING WHEN REVIEWING
AND REINFORCING THEIR
SYSTEMS AND CONTROLS?
AUSTRALIA • EMMA OSGOOD • AIG AUSTRALIA
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
JULY 2015 • F INANCIER WORLDWIDE • 33www.f inancierworldwide.com
Q WHAT ARE YOUR
PREDICTIONS FOR CYBER
CRIME AND DATA SECURITY
IN AUSTRALIA OVER THE
COMING YEARS?
Emma Osgood
Commercial Practice Leader, Financial Lines
AIG Australia
T: +61 2 9240 1736
so have accumulated valuable knowledge and resources that they
can share with their clients – often before they are the victim of a
cyber breach. Insurers are all too familiar with complex cross-border
legislation governing data and should be able to provide immediate
access to a specialist breach response team to help their policyholders.
A cyber liability policy should be used as an adjunct to a robust risk
management framework and can provide access to valuable resources.
OSGOOD: Our reliance upon electronic data and technology is only
going to increase in the coming years. Businesses will need to turn
their minds to how to effectively operate within the threat landscape.
With more insurers now offering proactive risk management tools as
part of their offerings, I think we will continue to see an uptick in policy
purchase.
Emma Osgood is the National Cyber Liability Manager for AIG Australia and is responsible for the management, development and delivery of AIG’s Cyber Liability product. She has worked at AIG for more than 11 years and managed the Professional Liability portfolio for the UK branch offices before joining AIG in Sydney in 2012. Prior to AIG, Ms Osgood spent five years broking at Alexander Forbes, Alfred Blackmore and Heath Lambert in the UK. Ms Osgood holds a BA (Hons) from Exeter University.
RELATED LIABILITIES? HOW
ARE INSURANCE PROVIDERS
ADJUSTING OR ENHANCING
THEIR INSURANCE SOLUTIONS
TO MEET MARKET NEEDS?
AUSTRALIA • EMMA OSGOOD • AIG AUSTRALIA
“ With more insurers now offering proactive risk management tools as part of their offerings, I think we will continue to see an uptick in policy purchase.”
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
34 • F INANCIER WORLDWIDE • JULY 2015 www.f inancierworldwide.com
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
SOUTH AFRICA
Q IN YOUR OPINION,
WHAT ARE THE MAJOR
CYBER THREATS TO WHICH
TODAY’S COMPANIES ARE
VULNERABLE? COULD YOU
COMMENT ON ANY RECENT,
HIGH PROFILE CYBER
ATTACKS IN SOUTH AFRICA?
KENNETH VAN SWEEDENAUTO & GENERAL
VAN SWEEDEN: South Africa faces the same cyber threats as the rest of
the world, challenges such as spoof websites, phishing, illegal access and
hacking of cell phones and social media footprints left by users. South
Africa was ranked the sixth most active country for cyber crime by the
FBI recently – a result which is alarming for a country whose internet
penetration is around 14 percent. Several high profile cyber attacks
have already occurred in the country, including incidents involving
both financial and governmental institutions, as well as political party
websites.
VAN SWEEDEN: Based on discussions we’ve had with some of our
clients, it would appear that cyber risk and data security is being debated
far more regularly at board meetings. However, according to the results
of the ‘IT Web Brainstorm Chief Information Officer Survey’, published in
October 2014, “agility and speed of execution, budget, and lack of skills”
are the operational concerns of South African CIOs. The survey showed
that South African companies spend about one-third of their IT budgets
on infrastructure, bandwidth and security. How much of this allocation
is on security itself is hard to say, but it indicates that although the
awareness of the threat to business is increasing, spending on security
is seemingly not increasing at the same pace. With this in mind, there is
still a lot more that companies and their boards should be doing in order
to address this issue.
VAN SWEEDEN: In South Africa, the Protection of Personal
Information Act (POPI) was signed into law in November 2013,
however a commencement date has not yet been announced. Once a
commencement date is announced, companies will only have a year to
comply with the requirements of the Act. POPI brings South Africa in line
Q GIVEN THE RISKS, DO
YOU BELIEVE COMPANIES
ARE PLACING ENOUGH
IMPORTANCE ON CYBER
SECURITY? ARE BOARD
MEMBERS TAKING A
PROACTIVE, HANDS-ON
APPROACH TO IMPROVING
POLICIES AND PROCESSES?
Q TO WHAT EXTENT HAVE
CYBER SECURITY AND DATA
PRIVACY REGULATIONS
CHANGED IN SOUTH
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N TA N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
JULY 2015 • F INANCIER WORLDWIDE • 35 8www.f inancierworldwide.com
AFRICA? HOW ARE THESE
DEVELOPMENTS AFFECTING
THE WAY COMPANIES
MANAGE AND MAINTAIN
COMPLIANCE?
SOUTH AFRICA • KENNETH VAN SWEEDEN • AUTO & GENERAL
with international data protection laws and it reinforces South African
citizens’ constitutional right to privacy. The Act is an all-inclusive piece of
legislation that seeks to safeguard the integrity and sensitivity of private
information. In response, all entities operating in sectors that necessitate
them to handle personal particulars are required to carefully manage the
data capture and storage of personal information. Affected businesses
should determine what information is truly essential for collection and
processing in their businesses, and then inform customers, stakeholders
and employees why this is required to ensure that proper standards
protecting privacy are in place. Implementing a loss prevention strategy
and adopting best practice standards should be the minimum a company
does in this regard.
VAN SWEEDEN: Even if a company is very security conscious, and has
done an excellent job protecting its computer system, a hacker – either
internal or external – who is competent enough, determined enough and
patient enough is nearly impossible to keep out. If someone steals your
product designs, your customer list, your new marketing plans, your R&D
data, and so on, it would be a blow that could have serious consequences
for your business. Therefore, company decision makers must decide on
the data that is critical to their company’s survival and focus on securing
that data. IT experts know all too well that the perimeter defence strategy
does not work. Critical data can be classified as data that is necessary
to comply with legal or regulatory requirements to protect specific data,
such as credit details and identity numbers or data that is essential to
the company’s ability to win in the marketplace, such as product designs
and customer lists. There are a number of questions that should be asked
by companies when identifying what data to protect, including: What
data would harm the company the most if it fell into the wrong hands?
What information gives the company its competitive advantage in the
Q IN YOUR EXPERIENCE,
WHAT STEPS SHOULD
COMPANIES TAKE TO
AVOID POTENTIAL CYBER
BREACHES – EITHER FROM
EXTERNAL SOURCES
SUCH AS HACKERS OR
INTERNAL SOURCES SUCH
AS ROGUE EMPLOYEES?
WHAT KEY QUESTIONS
SHOULD THEY BE ASKING
WHEN REVIEWING AND
REINFORCING THEIR
SYSTEMS AND CONTROLS?
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
36 • F INANCIER WORLDWIDE • JULY 2015 www.f inancierworldwide.com
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
market? What data would someone want to steal? What knowledge
makes the company better than its competition? Where is the company
investing in research and development?
VAN SWEEDEN: Good data breach response plans should be prepared
as part of the company’s overall disaster recovery plan. It will ensure
that the company is well prepared to deal with a cyber breach and
should include a number of steps to be taken in the event of a cyber
breach. First, efforts should be made to gather the facts. Establish what
the scope of the breach is and decide what facts should be disclosed
to prevent harm to consumers and other affected parties. Second,
appoint a response team. A predetermined chain of command allows
for rapid response and informed decisions in a pressure situation while
balancing the needs of the different stakeholders. Third, communicate
the breach with the utmost sensitivity and attention. Accurately record
your actions so that you can prove that you did everything in your power
to prevent the breach, respond appropriately and mitigate risk to the
customer. Finally, it is vital to act immediately. Companies should not
wait to create a response plan. Budget for it and invest in data breach
protections and procedures, while making data privacy best practices a
part of the company’s culture.
VAN SWEEDEN: A company should transfer risk only after it has
implemented all that it can to minimise and manage the cyber risks
it faces. Most providers of cyber insurance products have the ability to
offer a combination of pre and post loss assistance to the company.
The pre-loss services would include services such as consulting to the
company by giving assistance and recommendations with regard to risk
assessment, risk control and response strategies. Post loss services would
include services such as assistance in dealing with third party vendors,
and identifying the applicable laws and contractual obligations the
company must comply with. Legal defence services in defending third
party claims and assistance with formal investigations.
Q IN WHAT WAYS CAN RISK
TRANSFER AND INSURANCE
HELP COMPANIES AND THEIR
D&OS TO DEAL WITH CYBER
RISK, POTENTIAL LOSSES AND
RELATED LIABILITIES? HOW
ARE INSURANCE PROVIDERS
ADJUSTING OR ENHANCING
THEIR INSURANCE SOLUTIONS
TO MEET MARKET NEEDS?
Q HOW SHOULD FIRMS
RESPOND IMMEDIATELY AFTER
FALLING VICTIM TO CYBER
CRIME, TO DEMONSTRATE
THAT THEY HAVE DONE THE
RIGHT THING IN THE EVENT
OF A CYBER BREACH OR DATA
LOSS?
SOUTH AFRICA • KENNETH VAN SWEEDEN • AUTO & GENERAL
“ A company should transfer risk only after it has implemented all that it can to minimise and manage the cyber risks it faces.”
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
JULY 2015 • F INANCIER WORLDWIDE • 37www.f inancierworldwide.com
VAN SWEEDEN: The advancement in technology is almost breathtaking
at times. This obviously means that cyber criminals have constantly
evolving technology at their disposal to exploit to their advantage. Cyber
crime and cyber terrorism is the new frontier. The need for a concerted
effort to address this threat at all levels within society is more important
than ever before. In his address at the first South African Cyber Security
Symposium held in South Africa on the 1 March 2015, the Minister of State
Security spoke about the need for improved collaboration between public,
private and international stakeholders regarding cyber security in South
Africa. In March 2012, the government approved a National Cybersecurity
Framework, but this is still in the early stages of implementation. While
it is encouraging that the issue is receiving attention at the highest level
within government and industry, the sheer speed of evolution means
that all those involved in cyber security will be hard pressed to keep
abreast with developments. Unfortunately, it seems that we will remain
vulnerable to cyber attacks for the foreseeable future.
Kenneth van Sweeden
Business Manager
Auto & General
+27 79 879 1735
Kenneth van Sweeden has been underwriting and developing liability products in the domestic insurance market for 30 years, the last 18 of which specialising in Directors and Officers Liability after launching the first D&O product sold in South Africa. He is responsible for the underwriting and development of Auto & General’s Professional Liability suite of products such as the Errors & Omissions (Professional Indemnity) product. Mr van Sweeden is an associate of the Insurance Institute of South Africa and a member of the Institute of Directors of Southern Africa and the Professional Liability Underwriters Society in the US.
SOUTH AFRICA • KENNETH VAN SWEEDEN • AUTO & GENERAL
Q WHAT ARE YOUR
PREDICTIONS FOR CYBER
CRIME AND DATA SECURITY
IN SOUTH AFRICA OVER THE
COMING YEARS?
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
38 • F INANCIER WORLDWIDE • JULY 2015 www.f inancierworldwide.com
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
ISRAEL
Q IN YOUR OPINION,
WHAT ARE THE MAJOR
CYBER THREATS TO WHICH
TODAY’S COMPANIES ARE
VULNERABLE? COULD YOU
COMMENT ON ANY RECENT,
HIGH PROFILE CYBER
ATTACKS IN ISRAEL?
SHARON SHAHAMAIG ISRAEL INSURANCE COMPANY LIMITED
SHAHAM: In the past, cyber breaches used to be sporadic and less
organised, conducted mainly by individuals, usually for personal gain.
Today, companies are exposed to cyber breaches by well organised
and funded groups. Although some attacks may still be for personal
financial gain, today the incentive for many attacks is often either
ideological or political, with the major intent of causing financial harm
to the attacked entity and jeopardising its business continuity. In Israel,
organisations such as Anonymous organise planned ‘attack days’ several
times a year, mainly against Israeli targets, thus far with no significant
published results. During specific times of activity there seems to be an
increase in cyber breach efforts in commercial or public organisations
identified with Israel. Beyond such organised attacks, one of the most
talked about events was an attempted extortion by an ex-employee of
a credit card company owned by one of the major banks in Israel, which
was unsuccessful.
SHAHAM: Companies in Israel place a great deal of importance on cyber
security. Israel is a hi-tech nation with access to the most innovative
security and cyber solutions. As the tech-community in Israel is very well
developed, local enterprises have easy access to the best knowledge and
solutions in the country, as well as from the international community.
Therefore, most of the investment and focus of companies remains
with these IT solutions. However, most of these solutions emphasise
prevention. Many experts agree today that the question regarding a
cyber breach is not ‘if’, but rather a question of ‘when’. A recent survey
conducted by an Israeli economic magazine, which was designed
to examine the level of disclosure of cyber preparedness within the
financial statements of the leading 100 public companies in Israel,
indicated that half of those companies surveyed are failing to disclose
any information regarding their readiness towards cyber threats.
Q GIVEN THE RISKS, DO
YOU BELIEVE COMPANIES
ARE PLACING ENOUGH
IMPORTANCE ON CYBER
SECURITY? ARE BOARD
MEMBERS TAKING A
PROACTIVE, HANDS-ON
APPROACH TO IMPROVING
POLICIES AND PROCESSES?
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N TA N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
JULY 2015 • F INANCIER WORLDWIDE • 39 8www.f inancierworldwide.com
Q TO WHAT EXTENT HAVE
CYBER SECURITY AND DATA
PRIVACY REGULATIONS
CHANGED IN ISRAEL? HOW
ARE THESE DEVELOPMENTS
AFFECTING THE WAY
COMPANIES MANAGE AND
MAINTAIN COMPLIANCE?
ISRAEL • SHARON SHAHAM • AIG ISRAEL INSURANCE COMPANY LIMITED
Therefore, it is imperative that companies allocate adequate efforts
and resources toward compliance, training, risk management and an
insurance solution to provide financial aid in the event of a breach,
in order to ensure business continuity. Board members are becoming
increasingly proactive in these areas.
SHAHAM: There is no specific cyber regulation in Israel. Rather, there are
various laws that relate to parts of the cyber scope, such as Protection
of Privacy Law, 5741 of 1981 and Freedom of Information Law 5758 of
1998. In addition, in 2006, the Israeli Law, Information and Technology
Authority was established under the Israeli Justice Department. The
purpose of this authority is to strengthen the security of personal
information and to lead the legislative and regulatory changes and
enforcement of violations. The government initiated the Cyber Bureau
to build and advance cyber security in Israel. At present, there is still
no regulatory duty to provide subject notification of a personal data
breach; this is quite the contrast to both the US and several industries
in the EU. Some industries regard the cyber issue as part of their privacy
compliance activities. However, in light of the above, we expect that
the coming years will see the instigation of several legal changes in
keeping with compliance trends in the US and EU.
SHAHAM: It is safe to say that the majority of breaches affecting
organisations originate from current or past employees without intent.
However, a number of breaches are also caused by rogue employees. A
significant reduction in exposure to this risk can be achieved in a number
of ways. First, companies should refine their recruitment techniques,
including more stringent background checks and initial training.
Organisations should also do a better job conveying their privacy and
Q IN YOUR EXPERIENCE,
WHAT STEPS SHOULD
COMPANIES TAKE TO AVOID
POTENTIAL CYBER BREACHES
– EITHER FROM EXTERNAL
SOURCES
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
40 • F INANCIER WORLDWIDE • JULY 2015 www.f inancierworldwide.com
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
conduct policies. Second, companies should focus on those members
of staff they have employed. Organisations should carry out regular
training exercises and updates, and ensure efficient controls of access
authorisations. Finally, organisations should be more vigilant when it
comes to termination. Care must be taken to terminate all possible
access to IT systems or data upon leaving the company. In other areas,
companies should closely monitor third party service providers and
require good standards on privacy controls and access, including within
the terms of contract. Furthermore organisations should establish a
comprehensive Business Continuity Plan specifically for a cyber event,
including the process of returning to the normal course of business.
SHAHAM: A cyber event can pose a considerable threat to organisations
and requires a strategic crisis management process. Even before such an
event takes place, organisations should prepare a response. There should
be a definitive plan which will help the company to map a thorough risk
analysis of all potential exposures, including technical, financial, legal
and public relation stakeholders who should take part during an event.
This will constitute a major part of the business continuity plan. The
immediate decisions and actions taken during the initial stages of the
situation will greatly determine the success of the end result, the size
of the financial damage and the continued exposures of the company.
Accordingly, it is imperative that the company engages with experts in
each field of exposure.
SHAHAM: The insurance policy as a financial model enables a company
to transfer some of the potential risk to a third party: an insurance
company. This portrays the proactive effort of management to reduce
the company’s overall risk. The choice not to do so and take the total
risk upon the company, in itself, might establish cause for a personal
claim against D&Os for subjecting the company to such a loss, should it
happen. In respect of the product itself, cyber insurance started out as a
simple notification cost and third party liability policy. In light of market
Q IN WHAT WAYS CAN RISK
TRANSFER AND INSURANCE
HELP COMPANIES AND THEIR
D&OS TO DEAL WITH CYBER
RISK, POTENTIAL LOSSES AND
RELATED LIABILITIES? HOW
ARE INSURANCE PROVIDERS
Q HOW SHOULD FIRMS
RESPOND IMMEDIATELY AFTER
FALLING VICTIM TO CYBER
CRIME, TO DEMONSTRATE
THAT THEY HAVE DONE THE
RIGHT THING IN THE EVENT
OF A CYBER BREACH OR DATA
LOSS?
SUCH AS HACKERS OR
INTERNAL SOURCES SUCH
AS ROGUE EMPLOYEES?
WHAT KEY QUESTIONS
SHOULD THEY BE ASKING
WHEN REVIEWING AND
REINFORCING THEIR
SYSTEMS AND CONTROLS?
ISRAEL • SHARON SHAHAM • AIG ISRAEL INSURANCE COMPANY LIMITED
“ Technology is getting more and more sophisticated and complicated, and so are the abilities of third parties with harmful intent.”
A N N U A L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N A G E M E N T
JULY 2015 • F INANCIER WORLDWIDE • 41www.f inancierworldwide.com
Q WHAT ARE YOUR
PREDICTIONS FOR CYBER
CRIME AND DATA SECURITY
IN ISRAEL OVER THE COMING
YEARS?
changes and needs, the recent focus has shifted toward providing pre-
event services, first response and crisis management services, coverage
addressing the reliance on cloud and other third party service provider,
and first party business interruption coverage. The most recent updated
version even enables a company to purchase cover for system failure,
not necessarily due to a security failure.
SHAHAM: We expect to see an increase in the number of attacks
worldwide, and we expect the trends locally to be no different, and
possibly even harsher for Israeli entities. Indeed, Israel will continue to be
one of the most attacked countries in the world. Technology is getting
more and more sophisticated and complicated, and so are the abilities
of third parties with harmful intent. As local regulation advances, this
will expose local companies even more, which will enhance the need
for IT security and related insurance.
Sharon Shaham
VP Commercial Lines
AIG Israel Insurance Company Limited
+972 3 721 8652
Sharon Shaham is the VP of Commercial Lines for AIG Israel Insurance Company Limited. Ms Shaham currently oversees the activities of Financial Lines, Property and Energy and Casualty Product Towers as well as Commercial Distribution. She joined AIG in 2010 as the Commercial Lines Business Development Manager. Previously she managed the Hi-Tech and Special Risks unit for a local insurer and has 15 years market experience. Ms Shaham holds a Masters in Business Administration and an LLM.
ADJUSTING OR ENHANCING
THEIR INSURANCE SOLUTIONS
TO MEET MARKET NEEDS?
ISRAEL • SHARON SHAHAM • AIG ISRAEL INSURANCE COMPANY LIMITED
FWS U P P L E M E N T
www.fi nancierworldwide.com
A N N U A L R E V I E W